Switch base images from Docker Hub to GHCR mirror

Avoids Docker Hub 429 rate limits by pulling node:20-alpine and nginx:stable-alpine from ghcr.io/cartsnitch/mirror/. GHCR login now runs on all builds (not just main push) to authenticate pulls. Ref: cartsnitch/infra#7, CAR-55 Co-Authored-By: Paperclip <noreply@paperclip.ing>
feat: add Renovate dependency update config
2026-03-18 18:37:47 +00:00 · 2026-03-18 18:21:31 +00:00 · 2026-03-18 18:20:31 +00:00 · 2026-03-18 18:11:01 +00:00 · 2026-03-18 16:36:02 +00:00 · 2026-03-18 14:27:23 +00:00
5 changed files with 71 additions and 4 deletions
@@ -0,0 +1,8 @@
+node_modules
+dist
+.git
+.github
+*.md
+.env*
+.vscode
+coverage
@@ -20,7 +20,7 @@ env:

 jobs:
  lint:
-    runs-on: local-ubuntu-latest
+    runs-on: local-ubuntu-latest-cartsnitch
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@@ -34,7 +34,7 @@ jobs:
        run: npx tsc --noEmit

  test:
-    runs-on: local-ubuntu-latest
+    runs-on: local-ubuntu-latest-cartsnitch
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@@ -46,13 +46,12 @@ jobs:
        run: npx vitest run

  build-and-push:
-    runs-on: local-ubuntu-latest
+    runs-on: local-ubuntu-latest-cartsnitch
    needs: [lint, test]
    steps:
      - uses: actions/checkout@v4

      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
@@ -0,0 +1,21 @@
+# Stage 1: Build
+FROM ghcr.io/cartsnitch/mirror/node:20-alpine AS build
+
+WORKDIR /app
+
+COPY package.json package-lock.json ./
+RUN npm ci
+
+COPY . .
+RUN npm run build
+
+# Stage 2: Production
+FROM ghcr.io/cartsnitch/mirror/nginx:stable-alpine AS prod
+
+COPY --from=build /app/dist /usr/share/nginx/html
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 80
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD wget -qO- http://localhost/health || exit 1
@@ -0,0 +1,35 @@
+server {
+    listen 80;
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Gzip compression
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
+    gzip_min_length 256;
+
+    # Health endpoint for K8s probes
+    location /health {
+        access_log off;
+        return 200 'ok';
+        add_header Content-Type text/plain;
+    }
+
+    # Cache static assets aggressively (Vite hashes filenames)
+    location /assets/ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # Service worker — must not be cached
+    location /sw.js {
+        expires off;
+        add_header Cache-Control "no-cache, no-store, must-revalidate";
+    }
+
+    # SPA fallback — serve index.html for all routes
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}
@@ -0,0 +1,4 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["local>cartsnitch/.github:renovate-config"]
+}
Author	SHA1	Message	Date
deploy-debbie[bot]	0789de39f0	Switch base images from Docker Hub to GHCR mirror Avoids Docker Hub 429 rate limits by pulling node:20-alpine and nginx:stable-alpine from ghcr.io/cartsnitch/mirror/. GHCR login now runs on all builds (not just main push) to authenticate pulls. Ref: cartsnitch/infra#7, CAR-55 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-18 18:37:47 +00:00
deploy-debbie[bot]	e57baa4468	feat: add Renovate dependency update config Extends the shared CartSnitch Renovate preset from cartsnitch/.github. Minor/patch automerge, major requires review, dependency PRs labeled and grouped. Co-authored-by: Deploy Debbie <debbie@cartsnitch.com> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-03-18 18:21:31 +00:00
deploy-debbie[bot]	e42b7e1a66	fix(ci): remove unnecessary Docker Hub login step The build-and-push job had an unconditional Docker Hub login step that was failing because DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets are not provisioned. Since we push images to GHCR (not Docker Hub), this step is not needed. Closes cartsnitch/infra#5 Co-authored-by: deploy-debbie[bot] <268472978+deploy-debbie[bot]@users.noreply.github.com> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-03-18 18:20:31 +00:00
chip-overstock[bot]	265f2ae654	Merge pull request #9 from cartsnitch/fix/ci-docker-ratelimit Fix CI: add Docker Hub credentials for base image pulls	2026-03-18 18:11:01 +00:00
Deploy Debbie	2c4e78f0a7	fix(ci): add Docker Hub login to avoid rate limit on base image pulls The build-and-push job pulls node:20-alpine and nginx:stable-alpine from Docker Hub during docker build. Without authentication these pulls hit the unauthenticated rate limit, causing intermittent build failures. Closes #8 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-18 16:36:02 +00:00
chip-overstock[bot]	da775d362a	Merge pull request #7 from cartsnitch/feature/dockerfile feat: add multi-stage Dockerfile for PWA	2026-03-18 14:27:23 +00:00
deploy-debbie[bot]	42acdc070e	feat: add multi-stage Dockerfile for PWA Build stage uses node:20-alpine to install deps and build. Prod stage uses nginx:stable-alpine to serve static assets. Includes nginx config with SPA routing, gzip, health endpoint, and aggressive caching for Vite-hashed assets. Closes #6 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-18 13:26:57 +00:00
chip-overstock[bot]	be0d4333b2	Merge pull request #2 from cartsnitch/feature/core-screens feat: core PWA screens (auth, dashboard, purchases, products, alerts, settings)	2026-03-18 13:20:19 +00:00
chip-overstock[bot]	c3866c9628	Merge pull request #3 from cartsnitch/fix/runner-label fix: use correct ARC runner label	2026-03-18 03:11:04 +00:00
deploy-debbie[bot]	e39f77b3dd	fix: use local-ubuntu-latest-cartsnitch runner label Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-18 02:57:03 +00:00